This write-up is the walkthrough for OVERTHEWIRE NATAS level 12 to level 14. Both these levels contain upload the image kind of challenges where we have to upload a shell bypassing the code.
LEVEL 12 – 13:
The above image is the screen for overthewore natas challenge 12, When you click on “View sourcecode”, this is what you will find:
The marked number 1 is the php function that checks the size of the file, This file that we upload is renamed using a random function which is written above and the random path is also formed with path “/uploads/”. If you see closely, the number 2 code is the html form code and it takes 2 hidden values, the size and the random name created by php genRandomString() function.
I started burp suite to change the values of the submitted form. In the highlighter strings below,I made the changes.
fi70lbrlhp.jpg was the random name the function generated. I changed the Extension to .php.
pic.php is the actually file, I uploaded which contains the highlighted php code above.
This is the php code used in pic.php file, the one I have uploaded:
<?php echo passthru('cat /etc/natas_webpass/natas13'); ?>
Forward the request.
Click on the generated link above and the password for level 13 will be echoed.
LEVEL 13-14:
The level is very much similar to level 12, The only difference is that the security is bit high. The file content is checked if it is a image file or not. If you click the view sourcecode button, you will see the code is very similar to level 12 but the only added line is exif_imagetype function, which checks the type of file.
This time, I uploaded an actual image file.
Burpsuite intercept the request:
I changed the number 1 from jpg to php and at number 2, with the content of the image itself, I added a small php code:
<?php echo "<br>"; system("cat /etc/natas_webpass/natas14"); ?>
click on the generated link and the password will appear.